Glossary of Terms
A reference guide to common terms used in cookie consent, privacy regulations, and data protection. Click any letter to jump to that section.
A
B
Browser fingerprinting
A tracking technique that identifies visitors by collecting unique characteristics of their browser and device (screen resolution, installed fonts, browser version, operating system) instead of using cookies. Under Article 5(3) of the ePrivacy Directive, fingerprinting requires consent because it involves accessing information from the user's terminal equipment. While the legal mechanism differs from cookies (reading device characteristics rather than storing data), the consent requirement is the same.
C
CCPA / CPRA
The California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA), gives California residents rights over their personal information. Unlike GDPR, CCPA follows an opt-out model for adults: businesses can collect data by default but must provide a clear way for consumers to opt out of the sale or sharing of their personal information. For minors under 16, the model flips to opt-in: teens aged 13 to 15 must affirmatively consent, and children under 13 require parental consent. See CCPA and Cookies for details.
Consent record
A log entry that documents when and how a visitor gave or withdrew consent. GDPR Article 7(1) requires controllers to be able to demonstrate that valid consent was obtained, but does not prescribe a specific format. Best practice is to record a timestamp, the categories consented to, the version of the banner shown, and a unique identifier for the visitor.
Cross-domain consent
Sharing a visitor's consent decision across multiple subdomains of the same root domain. Achieved by setting the consent cookie on the root domain (e.g. .example.com). LiteConsent supports this through the cookie domain setting. See Cross-Domain Setup for configuration.
D
Data controller
Under GDPR, the entity that determines the purposes and means of processing personal data. The website operator is typically the data controller. Controllers are responsible for ensuring that consent is properly obtained and that data processing is lawful.
Data processor
An entity that processes personal data on behalf of the data controller. For example, an analytics service or a consent management platform like LiteConsent. Processors must act only on the controller's instructions and are bound by a data processing agreement (DPA).
Data subject
The individual whose personal data is being collected or processed. In the context of cookies, the data subject is the website visitor whose browser stores the cookies and whose behavior is being tracked.
DPA (Data Processing Agreement)
A legally binding contract between a data controller and a data processor that outlines how personal data will be handled, what security measures are in place, and what happens if a data breach occurs. Required by GDPR Article 28 whenever a controller uses a third-party processor.
E
ePrivacy Directive
EU Directive 2002/58/EC (amended in 2009), often called the "Cookie Directive." It requires prior informed consent before storing or accessing information on a user's device, with an exception for strictly necessary cookies. While GDPR governs personal data broadly, the ePrivacy Directive specifically covers electronic communications and cookies. Each EU member state has transposed it into national law with slight variations.
F
G
GDPR (General Data Protection Regulation)
EU Regulation 2016/679, the primary data protection law in the European Union. It applies to any organization that processes personal data of individuals in the EU, regardless of where the organization is based. GDPR establishes an opt-in consent model for cookies: non-essential cookies may only be set after the visitor gives explicit, informed, and freely given consent. Violations can result in fines of up to 4% of annual global revenue or 20 million euros, whichever is greater. See GDPR and Cookies for details.
GPC (Global Privacy Control)
A browser-level signal (sent via the Sec-GPC HTTP header) that tells websites the visitor does not want their personal information sold or shared. Legally recognized under CCPA/CPRA and a growing number of other US state privacy laws, including Colorado, Connecticut, Texas, Montana, Oregon, and Delaware. LiteConsent can detect and honor GPC signals automatically.
Granular consent
Consent that allows visitors to choose which specific categories of cookies to accept or reject, rather than offering only an all-or-nothing choice. The GDPR requires consent to be "specific" (Article 6), and the EDPB Guidelines 05/2020 interpret this to mean visitors must be able to accept analytics cookies while rejecting marketing cookies, for example. An "accept all" button alone, without category-level controls, does not satisfy this requirement.
I
IAB TCF (Transparency & Consent Framework)
A standardized framework developed by the Interactive Advertising Bureau (IAB Europe) for managing consent in the digital advertising ecosystem. It defines a common format for encoding and communicating consent signals between publishers, advertisers, and ad-tech vendors. TCF is widely used in programmatic advertising but adds significant complexity to consent management.
J
Jurisdiction
The legal territory whose privacy laws apply to a particular visitor. Different jurisdictions have different consent requirements: the EU uses an opt-in model (GDPR), California uses an opt-out model (CCPA), and some regions have no specific cookie laws. LiteConsent detects the visitor's jurisdiction by location and adapts the consent banner accordingly. See Jurisdictions for configuration.
L
Legitimate interest
One of the six lawful bases for processing personal data under GDPR (Article 6(1)(f)). Some organizations claim legitimate interest as a basis for setting analytics cookies without consent. However, most European data protection authorities take the position that legitimate interest cannot override the ePrivacy Directive's consent requirement for cookies, making it an unreliable basis for cookie-based tracking.
M
O
Opt-in
A consent model where non-essential cookies may only be set after the visitor actively agrees. Used under GDPR and the ePrivacy Directive. The visitor must take a positive action (clicking "Accept" or toggling categories on); pre-ticked checkboxes or continued browsing do not count as valid opt-in consent.
Opt-out
A consent model where data collection happens by default and the visitor can choose to stop it. Used under CCPA: businesses may collect and use personal information but must provide a "Do Not Sell or Share My Personal Information" link. LiteConsent adapts the banner behavior based on the visitor's jurisdiction, showing an opt-in banner for GDPR regions and an opt-out notice for CCPA regions.
P
Personal data
Under GDPR, any information that can directly or indirectly identify a natural person. In the context of cookies, this includes cookie identifiers, IP addresses, device fingerprints, and browsing behavior. Even pseudonymous data (like a randomly generated cookie ID) is considered personal data if it can be linked back to an individual.
Prior consent
The requirement that consent must be obtained before setting non-essential cookies, not after. Under GDPR, a website must not load tracking scripts or set analytics/marketing cookies until the visitor has clicked "Accept." This means scripts must be blocked by default and only activated upon consent. LiteConsent enforces this by controlling script execution based on the visitor's consent state.
Privacy policy
A legal document that describes how an organization collects, uses, stores, and shares personal data. Broader than a cookie policy: it covers all personal data processing, not just cookies. GDPR requires every data controller to have one. Your cookie policy should link to your privacy policy, and vice versa.
S
T
Tracking pixel
A tiny, invisible image (typically 1x1 pixel) embedded in a web page or email that sends a request to a remote server when loaded. The server records the request along with metadata like the visitor's IP address, browser, and timestamp. Tracking pixels are used by advertising platforms (Meta Pixel, LinkedIn Insight Tag) and email marketing tools. Under GDPR, they require the same consent as cookies because they access information on the user's device.